Hide nuke_opt_values() if stoken support not built

auth.c:498:13: warning: 'nuke_opt_values' defined but not used [-Wunused-function]

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

stoken: Update documentation, manpage with libstoken information

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

stoken: Fill in "password" fields with a generated tokencode

If the gateway prompts for a password and soft token information is
available, generate a tokencode and mark the form field as OPT_STOKEN
so the user is not prompted for a password.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

stoken: Implement new auth form to gather soft token information

If the user has asked to use a soft token, libopenconnect will prompt
for devid/pass/pin (as necessary) to unlock the soft token, prior to
the initial server connection.  If the user aborts, soft token mode will
be disabled and the user will need to enter his tokencode by hand.
Manual entry could be useful for e.g. activating a new token.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

stoken: Add --stoken option to CLI, and invoke library to set up soft token

--stoken allows specifying a token string on the command line, or telling
the library to read it from ~/.stokenrc .

--version will indicate whether openconnect was built with software token
support.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

stoken: Add software token functions to library API; bump to v2.1

openconnect_has_stoken_support(): returns 1 if the library was linked
with libstoken.

openconnect_set_stoken_mode(): enables/disables tokencode generation,
and tells the library how to locate the seed.  Unless this function is
called, the library will not try to use a soft token.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

stoken: Link with libstoken if available

libstoken [1] implements a "software token" that generates one-time
passwords from RSA SecurID 128-bit (AES) token seeds.

[1] http://stoken.sf.net/

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

Allow optional arguments in the config file

getopt_long() treats an argument as optional if has_arg == 2.  Extend
this feature to the config file parser as well.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

Move strcasestr() implementation to compat.c

Note: this change is untested.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

Fix missing newline in the "No form handler" error message

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

Link to OpenConnect SOCKS proxy (ocproxy) from documentation

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

Update Debian package status

Debian stable (squeeze) includes openconnect,
network-manager-openconnect, and OpenSSL 0.9.8o:

http://packages.debian.org/squeeze/openconnect

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

Fix a couple of minor typos

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

Delete references to long-removed SecurID code

Commit d707fc524 (Clean up auth form handling) removed securid.c and
the tokencode+PIN prompts, but the docs and headers still refer to these
features.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix leaks on failure paths in OpenSSL openconnect_open_https()

Spotted by Coverity.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix use-after-free of numeric IPv6 hostname on error path

Spotted by Coverity.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix fd/memory leak on error return from openconnect_open_https()

Spotted by Coverity.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Close dtls_fd on error returns from connect_dtls_socket()

Spotted by Coverity.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Close config_fd before returning from write_new_config()

Spotted by Coverity.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Close ssl_sock before returning error in connect_https_socket()

Spotted by Coverity.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Free CSTP option structure before error return if malloc fails

Spotted by Coverity.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Close XML file handle before error return if fstat() fails

Spotted by Coverity.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix error reporting when failed to write CSD script file

Spotted by Coverity.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix potential NULL dereference in error path in gnutls_pkcs11_simple_parse()

Spotted by Coverity. Also fixed in GnuTLS already in commit 6aca5dd7.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix token serial number matching when trying to find hidden PKCS#11 key

Spotted by Coverity.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Be explicit when we're connecting to a proxy not directly to a VPN server

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 4.07

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add missing : to getopt string for -p which takes a parameter.

Print an error rather than trying to strdup(NULL) if the parameter
is not specified.

Signed-off-by: Stuart Henderson <sthen@openbsd.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle CSTP rekey when stalled

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix CSTP write stall handling

We were handling the -EAGAIN case as a hard error and tearing down the
connection. Instead, we should just wait for the socket to become writeable.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 4.06

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Check for system CA certificate file for GnuTLS

Look in certain well-known system paths for the default file to give to
gnutls_certificate_set_x509_trust_file() if required.  Auto-detection is
inspired by the GnuTLS configure script.

Signed-off-by: Mike Miller <mtmiller@ieee.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix strict-aliasing warning with DTLS local port handling

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Improve error reporting for vpnc-script

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle PKCS#11 tokens which don't list keys before login

If the user passed only one URL for both key+cert, and the cert was found,
then at least *try* looking for the key in the same token before giving up.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 4.05

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use correct XML tag for CSD script on Mac

Other operating systems still get the Linux version, and will need a
wrapper or something to make it cope.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove CSD script when done with it

We still don't remove it if the user hits Ctrl-C when we're logging in.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Only setuid() for CSD if a user was specified.

Otherwise it'll be setuid(0) which will (mostly) be a no-op for root, or
fail for non-root users.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove -vpnclient arg from CSD invocation

It never made any sense, and doesn't seem to be necessary.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove obsolete --key-type option from usage help text

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix endless loop when multiple PKCS#11 tokens need PINs

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use P11_KIT_URI_FOR_ANY to preserve all attributes in PKCS#11 URIs

Otherwise we were losing the attributes which specified a token... which is
a pain when the token doesn't list private keys until you're logged in. In
that case you do *have* to specify the token otherwise the object will never
be found.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Don't forget key password on reconnect / change hosts in GUI.

As part of the password handling cleanup, we were clearing the stored
->cert_password after using it. This means we have to retain the https_ctx
or https_cred structure for the whole lifetime of the vpninfo, even across
reconnects. Fix openconnect_reset_ssl() accordingly.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

mainloop.c - malloc without a prototype

I noticed a little problem building OpenConnect against gnutls 3;
mainloop.c uses malloc() in queue_new_packet(), somewhere in the chain
of openssl headers stdlib.h gets pulled in so it works ok there, but
this isn't the case with a gnutls build.

Signed-off-by: Stuart Henderson <sthen@openbsd.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix 'make update-translations' not to remove file headers

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 4.04

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Strip out full header when comparing po files

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix spelling error in --pid-file help text

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix GnuTLS password handling for PKCS#8 files

When we have no preconfigured password for a PKCS#8 file, we were getting
the wrong error and were aborting instead of asking for a password.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 4.03

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix --no-proxy option

A missing break in the case statement meant that --no-proxy would not disable
the proxy at all; it would actually have the same effect as --libproxy.

This bug has been present since the --no-proxy option was first added in
v2.20 (commit 9c6d3f1b). Although it was falling through to the --script
option then.

Signed-off-by: Tiago Vignatti <tiago.vignatti@intel.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

It looks like the problematic server wasn't really objecting to SSLv3; it
was the lack of 3DES cipher. It wouldn't accept AES which was the only
thing that GnuTLS was offering.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Separate requested from received MTU settings

This fixes a bug where an MTU requested with the --mtu option will actually
be set as the interface MTU even if the server replies with a smaller value.

It also fixes reconnect behaviour, by not treating the MTU response from
the server on the original connection into an override for the reconnect.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix GnuTLS DTLS MTU for GnuTLS 3.0.21 and above

The fix in 4.01 (commit c218e2ac) was relying on buggy behaviour of
GnuTLS. It shouldn't have been sufficient just to pass it the *data* MTU
plus 13 and rely on the fact that GnuTLS will happily send packets
larger than that. In fixing GnuTLS MTU handling and adding the new
gnutls_dtls_set_data_mtu() function in 3.0.21, I have broken my own
code. And it serves me right.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Advertise TLS1.0 not SSL3.0 in GnuTLS ClientHello

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove hard-coded table of ciphers for PEM decryption

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Improve cipher coverage of OpenSSL encrypted PEM support for GnuTLS

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 4.02

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix build failure on systems without GnuTLS v3

Oops. Including header files which are only available in GnuTLS v3 is
probably not cunning, if we're building with OpenSSL or with GnuTLS v2.

Pointed out by Stuart Henderson (thanks).

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 4.01

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix DTLS MTU for GnuTLS

GnuTLS defaults to an MTU of 1200 (less the 13-byte overhead), and will
truncate data packets accordingly. We *really* don't want that...

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix SEGV on cstp_reconnect() without deflate

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up Transifex import some more

Don't let local msgmerge use fuzzy translations either, don't care about
Translation-Team: changing, and use 'diff' so we actually see the changes
(since more often than not they're false positives, so it eases debugging).

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix build on systems without O_CLOEXEC

Reported by Ryan Steinmetz <zi@freebsd.org>

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add source port option for DTLS

Signed-off-by: Steven Ihde <sihde@hamachi.us>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Transifex import: Reduce churn, and don't forget to add new translations

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Rebuild openconnect.8 if necessary before openconnect.8.inc

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Print correct error when /dev/net/tun open fails

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Don't require zlib in pkgconfig if it was found without it

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 4.00

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Run msgmerge after importing translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add translations that GNOME NetworkManager-openconnect has, that we don't

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix typo in error message

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Support old-style OpenSSL encrypted PEM keys

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix memory leaks in text-mode process_form_opts

The caller probably won't free the returned answers if we return error,
so do it locally.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

NUL-terminate blobs from Andoird keystore

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix PKCS#11 cleanup when no SSL certificate is set

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add Android keystore support for --cafile

Based on a patch from Vilmos Nebehaj <v.nebehaj@gmail.com>

Signed-off-by: Vilmos Nebehaj <v.nebehaj@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add missing includes and libs to Android.mk

I probably shouldn't need to add libc, but it shouldn't hurt either, and I
*do* need it. Otherwise I think my screwed up local build system is using
the wrong one. One day I'll actually get AOSP or Cyanogen to build properly
and I won't have to suffer with this cobbled-together pile of crap that I'm
using...

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Switch from Android's keystore_get() to our own keystore_fetch()

This gives proper error handling which Android's lacks.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix double-free of BIO in loading cert from keystore

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>